Law Firm Mobile Data Security: We All Have An Ownership Role In This

By Rick Varju posted 05-29-2015 22:33


An estimated 28% of business content resides solely on end-user devices today. This growing trend coupled with increased usage of services that store and share information outside the visibility of the enterprise is driving an ever increasing need to educate our lawyers and support staff on how to become better firm and client data stewards. 

There’s no denying it, advancements in mobile computing and cloud storage technology have opened up a whole new world of options for lawyers to connect with clients and their data 24 hours a day from any device with an Internet connection anywhere around the globe. The new efficiencies gained have been truly transformational for lawyers and the clients they serve. However, these incredible efficiencies have also given rise to newer and larger data security and privacy risks that cannot be ignored. With at least 3 out of every 10 documents now being stored outside of firm sanctioned and secured repositories (and I think that’s being very conservative), we need to get everyone on the same page about data privacy and security and we need to do it now.

Consider this for a moment, how do you protect your personal belongings today? If you’re like most people, you lock your will, tax and insurance documents and other valuables in a locked cabinet, safe or closet. Chances are you lock your house and automobiles before you leave them unattended as well. We're all taught and conditioned to protect and secure our personal belongings so that someone else can’t come along and take them.  So, why do we not treat personal, corporate and client data and our most highly valued business relationships with the same level of protection and care? I have yet to meet a lawyer who ever wants to have to tell a highly valued client that they left their data unprotected – ever. Yet that is exactly what is happening every time data is stored outside firm sanctioned and secured repositories without being password protected or encrypted first. While most of us would never think of doing it, it’s the equivalent of leaving your home or automobile unlocked while away from them.

Be no mistake about it, the biggest mobile data privacy and security challenges we face in the era of the consumerization of IT, mobile computing and data portability are just as much behavioral and cultural as they are technical. Yet many seem to keep trying to solve these challenges mostly with technology, which undoubtedly plays an important role.  However, if we’re to truly tackle these challenges head on, we’re going to have to find more effective ways to break down the behavioral and cultural obstacles that represent the bigger kink in the armor when it comes to data privacy and security.  We need to make securing mobile corporate and client data just as much a conditioned human response as locking our homes and automobiles or putting on our seat belts before we drive.  And, oh by the way, we need to make the process of securing data easier - not more complex, intrusive and restrictive.

So, how do we fix this? Well, the first step towards fixing any problem is to first admit that you have one. And, well, you have one. If this topic isn’t already being openly and honestly discussed with senior management, you need get started there first. It’s critical that this be addressed for what is, a business risk issue, not just a technology issue. We all need to own this problem (IT, IG and lawyers alike). Applying technology alone to try to solve the problem only covers half of the equation. There’s a big human element involved in all of this that must be considered and pursued just as aggressively.

User Awareness/Data Stewardship + Technology = A Recipe for Success 

Successfully developing a culture that is truly data protection focused requires commitment at all levels of an organization to be responsible data stewards. We must view corporate and client data as highly valued assets just as if they were our own. We must embrace an approach that focuses on data stewardship augmentedby technology. It can’t be just one or the other. It must include an equitable balance of both.

User Awareness Training / Data Stewardship 

User awareness training is important for several reasons. First, it raises awareness and helps establish a baseline understanding of the risks data can be exposed to when left unprotected. Second, it raises awareness of the tools available to truly secure data down to the file level wherever it may reside and of course how to use the tools effectively. Last, but certainly not least, the more aware we are of the risks, and the more comfortable we become with the technology available to secure our data, the more successful we’ll be at changing the culture and human behavior that is such a big contributor to the risks we’re facing today. Develop your User Awareness and Data Stewardship strategy in partnership with top firm management and secure their commitment to back and help execute that strategy. This should be a team effort between IT, IG and senior firm management. Leverage every communication and training option you have at your disposal for this.


We have to condition ourselves to “lock up” our data just as we do our homes and automobiles. This can be accomplished by something as simple as password protecting sensitive documents to using more advanced data encryption tools. Most firms have invested in some form of mobile device management technology, which is very effective at providing data protection at the device level. However, data is highly mobile and rarely lives on just a single device or service today. It lives on our laptops, Macbooks, iPads, Smartphones, personal email accounts, thumb drives, hotel or conference kiosks and within our own personal cloud storage repositories. As such, we need to do more than protect data at just the device level. To truly keep all sensitive data secure, you really have to protect it wherever it may reside or end up. The best way to do this today is through the use of file encryption. There are a good handful of products available today that can do this. Some are free some are not and of course some are easier to use than others. This is where user awareness training is really critical. You won’t get widespread adoption if you can’t get widespread buy-in on user awareness training. Data privacy and security is critical to the business and your clients. Make this critical awareness training one of the battles you pick and win.


Regardless of the user awareness training approach you take and technology you use to secure your most sensitive data, I think we can all agree that we all have to take personal ownership of data privacy and security. It’s not just the right thing to do, it’s a requirement of the clients we serve.